Dsdiag
Applies To: Windows Server 2003 R2
Dsdiag
Analyzes the state of the Active Directory directory service, or the Active Directory Application Mode (ADAM) directory service, and reports any problems, to assist in troubleshooting. Dsdiag provides detailed information about how to identify abnormal behavior in the system.
Dsdiag consists of a framework for running tests and a series of tests to verify different functional areas of the system. This framework selects which directory services are tested, according to scope directives from the user.
Note
Some Dsdiag tests apply only to Active Directory.
Syntax
Examples
Formatting legend
Syntax
dsdiag /s:adamserver [/n:NamingContext] [/u:Domain\UserName /p:{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:LogFile] [/ferr:ErrLog] [/c [/skip:Test]] [/test:Test][/d][/fix] [{/h | /?}]
Parameters
- ****/s:adamserver
Uses adamserver as the home server. This parameter is required.
- /n: Partition
Uses Partition as the application directory partition to test. Domains may be specified in network basic input/output system (NetBIOS), Domain Name System (DNS), or distinguished name formats.
- /u:Domain\UserName /p:{* | Password | ""}
Uses Domain\UserName credentials for binding, with Password as the password. Use "" for an empty or null password, or use * to prompt for the password.
- /a
Tests all the servers on this site.
- /e
Tests all the servers in the entire enterprise. Overrides /a.
- /q
(Quiet) Prints only error messages.
- /v
(Verbose) Prints extended information.
- /d
(Debug) Prints configuration information for the entire enterprise, and displays verbose output information. This parameter can be useful for discovering detailed information about a directory server.
- /i
Ignores superfluous error messages.
- /fix
Only affects the MachineAccount test. This parameter causes the test to repair the service principal names (SPNs) on the machine account object of the directory server.
- ****/f:LogFile
Redirects all output to LogFile. The /f parameter operates independently of /ferr.
- ****/ferr:ErrLog
Redirects fatal error output to a separate file called ErrLog. The /ferr parameter operates independently of /f.
- /c
(Comprehensive) Runs all tests except DcPromo and RegisterInDNS, including nondefault tests. Optionally, this parameter can be used with /skip to skip specified tests. The following tests are not run by default: TopologyCutoffServersOutboundSecureChannels
- ****/skip:Test
Skips the specified test. This parameter must be used with /c. This parameter should not be run in the same command with /test. The only test that cannot be skipped is Connectivity.
****/test:Test
Runs only this test. The nonskippable test Connectivity is also run. This parameter should not be run in the same command with /skip.Note
All tests except DcPromo and RegisterInDNS must be run on computers that have been promoted to directory server.
Valid tests are as follows:
- Connectivity
Tests whether directory servers are DNS registered, can be pinged, and have Lightweight Directory Access Protocol/remote procedure call (LDAP/RPC) connectivity.
- Replications
Checks for timely replication and any replication errors between directory servers.
- Topology
Checks that Knowledge Consistency Checker (KCC) has generated a fully connected topology for all directory servers.
- CutoffServers
Checks for any servers that are not receiving replications because their partners are not available.
- NCSecDesc
Checks that the security descriptors on the application directory partition heads have appropriate permissions for replication.
- NetLogons
Checks that the appropriate logon privileges exist to allow replication to proceed.
- Advertising
Checks whether each directory server is advertising itself in the roles it should be capable of fulfilling. This test fails if the Net Logon service has stopped or failed to start.
- KnowsOfRoleHolders
Checks whether the directory server can contact the servers that hold the five operations master (also known as flexible single master operations, or FSMO) roles.
- Intersite
Checks for failures that would prevent or temporarily hold up intersite replication, and tries to predict how long it will take before the KCC is able to recover. Caution- Results of this test are often not valid.
- FSMOCheck
Checks that the directory server can contact a Key Distribution Center (KDC), Time Server, Preferred Time Server, primary directory server (primary domain controller (PDC)), and global catalog server. This test does not test any of the servers for operations master roles.
- RidManager
Checks whether the RID master is accessible and if it contains the proper information.
- MachineAccount
Checks whether the machine account is properly registered and the services are advertised.
- Services
Checks whether the appropriate directory server services are running.
- OutboundSecureChannels
Checks that secure channels exist from all the directory servers in the domain to the domains that are specified by /testdomain. The /nositerestriction parameter prevents the test from being limited to the directory servers in the site.
- ObjectsReplicated
Checks that Machine Account and DSA objects have replicated. Use **/objectdn:**dn with **/n:**nc to specify an additional object to check.
- frssysvol
Checks that File Replication service (FRS) SYSVOL is ready.
- kccevent
Checks that KCC is completing without errors.
- systemlog
Checks that the system is running without errors.
- DcPromo
This command does not apply to ADAM.
- RegisterInDNS
This commmand does not apply to ADAM.
- DeadCRTest
Looks for cross-references that appear to be left over from a failed creation of an application directory partition.
- CheckSDRefDom
Checks that all application directory partitions have appropriate security descriptor reference domains.
- VerifyReplicas
Verifies that all application directory partitions are fully instantiated on all replica servers.
- CrossRefValidation
Verifies the validity of cross-references.
- VerifyReferences
Verifies that certain system references are intact for the FRS and Replication infrastructure.
- VerifyEnterpriseReferences
Verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each directory server.
- {/h** | /?}**
Displays a syntax screen at the command prompt.
Examples
Example 1: A normal ADAM instance
To examine an ADAM instance to verify that it is healthy and functioning properly, type the following at the command prompt:
dsdiag /s:adam1 /u:cohovineyard\administrator /p:password
Output similar to the following appears:
Directory Service Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\adam1
Starting test: Connectivity
......................... adam1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\adam1
Starting test: Replications
......................... adam1 passed test Replications
Starting test: NCSecDesc
......................... adam1 passed test NCSecDesc
Starting test: NetLogons
......................... adam1 passed test NetLogons
Starting test: Advertising
......................... adam1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... adam1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... adam1 passed test RidManager
Starting test: MachineAccount
......................... adam1 passed test MachineAccount
Starting test: Services
......................... adam1 passed test Services
Starting test: ObjectsReplicated
......................... adam1 passed test ObjectsReplicated
Starting test: frssysvol
......................... adam1 passed test frssysvol
Starting test: kccevent
......................... adam1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:28:25
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:40:30
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:43:30
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:58:46
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:02:11
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:05:11
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:10:51
Event String: The time provider NtpClient is configured to
......................... adam1 failed test systemlog
Running partition tests on : Schema
Starting test: DeadCRTest
......................... Schema passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: DeadCRTest
......................... Configuration passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : cohovineyard
Starting test: DeadCRTest
......................... cohovineyard passed test DeadCRTest
Starting test: CheckSDRefDom
......................... cohovineyard passed test CheckSDRefDom
Running enterprise tests on : cohovineyard.reskit.com
Starting test: Intersite
......................... cohovineyard.reskit.com passed test Intersite
Starting test: FsmoCheck
......................... cohovineyard.reskit.com passed test FsmoCheck
Example 2: Unresponsive or inaccessible server
To resolve replication problems, type the following at the command line:
dsdiag /s:adam1 /u:cohovineyard\administrator /p:password /e
Output similar to the following appears:
Directory Service Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\adam1
Starting test: Connectivity
......................... adam1 passed test Connectivity
Testing server: Default-First-Site-Name\RESKIT-DC2
Starting test: Connectivity
Server RESKIT-DC2 resolved to this IP address 172.26.220.34,
but the address couldn't be reached(pinged), so check the network.
The error returned was: Error due to lack of resources.
This error more often means that the targeted server is
shutdown or disconnected from the network
......................... RESKIT-DC2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\adam1
Starting test: Replications
[Replications Check,adam1] A recent replication attempt failed:
From RESKIT-DC2 to adam1
Naming Context: CN=Configuration,DC=cohovineyard,DC=reskit,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2001-12-21 02:19:04.
The last success occurred at 2001-12-21 01:57:43.
1 failures have occurred since the last success.
The source remains down. Please check the machine.
......................... adam1 passed test Replications
Starting test: NCSecDesc
......................... adam1 passed test NCSecDesc
Starting test: NetLogons
......................... adam1 passed test NetLogons
Starting test: Advertising
......................... adam1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... adam1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... adam1 passed test RidManager
Starting test: MachineAccount
......................... adam1 passed test MachineAccount
Starting test: Services
......................... adam1 passed test Services
Starting test: ObjectsReplicated
......................... adam1 passed test ObjectsReplicated
Starting test: frssysvol
......................... adam1 passed test frssysvol
Starting test: kccevent
......................... adam1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:28:25
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:40:30
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:43:30
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:58:46
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:02:11
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:05:11
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:10:51
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:13:51
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 02:18:58
Event String: The time provider NtpClient is configured to
......................... adam1 failed test systemlog
Testing server: Default-First-Site-Name\RESKIT-DC2
Skipping all tests, because server RESKIT-DC2 is
not responding to directory service requests
Running partition tests on : Schema
Starting test: DeadCRTest
......................... Schema passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: DeadCRTest
......................... Configuration passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : cohovineyard
Starting test: DeadCRTest
......................... cohovineyard passed test DeadCRTest
Starting test: CheckSDRefDom
......................... cohovineyard passed test CheckSDRefDom
Running partition tests on : reskit-sib
Starting test: DeadCRTest
......................... reskit-sib passed test DeadCRTest
Starting test: CheckSDRefDom
......................... reskit-sib passed test CheckSDRefDom
Running enterprise tests on : cohovineyard.reskit.com
Starting test: Intersite
......................... cohovineyard.reskit.com passed test Intersite
Starting test: FsmoCheck
......................... cohovineyard.reskit.com passed test FsmoCheck
Formatting legend
Format | Meaning |
---|---|
Italic |
Information that the user must supply |
Bold |
Elements that the user must type exactly as shown |
Ellipsis (...) |
Parameter that can be repeated several times in a command line |
Between brackets ([]) |
Optional items |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one |
Courier font |
Code or program output |